* [PATCH BlueZ 1/2] audio: Fix headset NULL pointer dereference during AT+BLDN response @ 2012-10-23 13:57 Syam Sidhardhan 2012-10-23 13:57 ` [PATCH BlueZ 2/2] gdbus: Replace leading spaces with tabs Syam Sidhardhan 2012-11-09 3:32 ` [PATCH BlueZ 1/2] audio: Fix headset NULL pointer dereference during AT+BLDN response Syam Sidhardhan 0 siblings, 2 replies; 6+ messages in thread From: Syam Sidhardhan @ 2012-10-23 13:57 UTC (permalink / raw) To: linux-bluetooth While waiting for the AT+BLDN asynchronous response, if RFCOMM got disconnected, then respose will cause NULL pointer dereference. During headset disconnection, the headset state changes from HEADSET_STATE_CONNECTED to HEADSET_STATE_DISCONNECTED along with freeing the dev->headset. During the response, in telephony_generic_rsp its dereferencing. Log: bluetoothd[5573]: audio/headset.c:handle_event() Received AT+BLDN bluetoothd[5573]: audio/telephony.c:telephony_last_dialed_number_req() telephony-tizen: last dialed number request bluetoothd[5573]: audio/telephony.c:dbus_method_call_send() + bluetoothd[5573]: audio/telephony.c:dbus_method_call_send() - bluetoothd[5573]: Endpoint replied with an error: org.freedesktop.DBus\ .Error.NoReply bluetoothd[5573]: audio/telephony.c:telephony_device_disconnected() telephony-tizen: device 0x40439b60 disconnected bluetoothd[5573]: audio/headset.c:headset_set_state() State changed /org/bluez/5573/hci0/dev_BC_47_60_F5_88_89: HEADSET_STATE_CONNECTED -> HEADSET_STATE_DISCONNECTED bluetoothd[5573]: audio/media.c:headset_state_changed() bluetoothd[5573]: audio/media.c:headset_state_changed() Clear endpoint 0x40430620 bluetoothd[5573]: audio/telephony.c:telephony_dial_number_reply() redial_reply bluetoothd[5573]: audio/telephony.c:telephony_dial_number_reply() dial_reply reply: No Call log --- audio/headset.c | 3 +++ 1 files changed, 3 insertions(+), 0 deletions(-) diff --git a/audio/headset.c b/audio/headset.c index bd83a65..30d24cf 100644 --- a/audio/headset.c +++ b/audio/headset.c @@ -689,6 +689,9 @@ static int telephony_generic_rsp(struct audio_device *device, cme_error_t err) struct headset *hs = device->headset; struct headset_slc *slc = hs->slc; + if (!slc) + return -EIO; + if ((err != CME_ERROR_NONE) && slc->cme_enabled) return headset_send(hs, "\r\n+CME ERROR: %d\r\n", err); -- 1.7.4.1 ^ permalink raw reply related [flat|nested] 6+ messages in thread
* [PATCH BlueZ 2/2] gdbus: Replace leading spaces with tabs 2012-10-23 13:57 [PATCH BlueZ 1/2] audio: Fix headset NULL pointer dereference during AT+BLDN response Syam Sidhardhan @ 2012-10-23 13:57 ` Syam Sidhardhan 2012-11-16 8:07 ` Johan Hedberg 2012-11-09 3:32 ` [PATCH BlueZ 1/2] audio: Fix headset NULL pointer dereference during AT+BLDN response Syam Sidhardhan 1 sibling, 1 reply; 6+ messages in thread From: Syam Sidhardhan @ 2012-10-23 13:57 UTC (permalink / raw) To: linux-bluetooth Trivial formatting fix. --- gdbus/object.c | 8 ++++---- 1 files changed, 4 insertions(+), 4 deletions(-) diff --git a/gdbus/object.c b/gdbus/object.c index 9689006..d58a1a8 100644 --- a/gdbus/object.c +++ b/gdbus/object.c @@ -226,7 +226,7 @@ void g_dbus_pending_success(DBusConnection *connection, { GSList *list; - for (list = pending_security; list; list = list->next) { + for (list = pending_security; list; list = list->next) { struct security_data *secdata = list->data; if (secdata->pending != pending) @@ -240,7 +240,7 @@ void g_dbus_pending_success(DBusConnection *connection, dbus_message_unref(secdata->message); g_free(secdata); return; - } + } } void g_dbus_pending_error_valist(DBusConnection *connection, @@ -249,7 +249,7 @@ void g_dbus_pending_error_valist(DBusConnection *connection, { GSList *list; - for (list = pending_security; list; list = list->next) { + for (list = pending_security; list; list = list->next) { struct security_data *secdata = list->data; DBusMessage *reply; @@ -268,7 +268,7 @@ void g_dbus_pending_error_valist(DBusConnection *connection, dbus_message_unref(secdata->message); g_free(secdata); return; - } + } } void g_dbus_pending_error(DBusConnection *connection, -- 1.7.4.1 ^ permalink raw reply related [flat|nested] 6+ messages in thread
* Re: [PATCH BlueZ 2/2] gdbus: Replace leading spaces with tabs 2012-10-23 13:57 ` [PATCH BlueZ 2/2] gdbus: Replace leading spaces with tabs Syam Sidhardhan @ 2012-11-16 8:07 ` Johan Hedberg 0 siblings, 0 replies; 6+ messages in thread From: Johan Hedberg @ 2012-11-16 8:07 UTC (permalink / raw) To: Syam Sidhardhan; +Cc: linux-bluetooth Hi Syam, On Tue, Oct 23, 2012, Syam Sidhardhan wrote: > Trivial formatting fix. > --- > gdbus/object.c | 8 ++++---- > 1 files changed, 4 insertions(+), 4 deletions(-) This patch has been applied. Thanks. Johan ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH BlueZ 1/2] audio: Fix headset NULL pointer dereference during AT+BLDN response 2012-10-23 13:57 [PATCH BlueZ 1/2] audio: Fix headset NULL pointer dereference during AT+BLDN response Syam Sidhardhan 2012-10-23 13:57 ` [PATCH BlueZ 2/2] gdbus: Replace leading spaces with tabs Syam Sidhardhan @ 2012-11-09 3:32 ` Syam Sidhardhan 2012-11-13 15:40 ` Johan Hedberg 1 sibling, 1 reply; 6+ messages in thread From: Syam Sidhardhan @ 2012-11-09 3:32 UTC (permalink / raw) To: Syam Sidhardhan; +Cc: linux-bluetooth Hi, On Tue, Oct 23, 2012 at 7:27 PM, Syam Sidhardhan <s.syam@samsung.com> wrote: > While waiting for the AT+BLDN asynchronous response, if RFCOMM got > disconnected, then respose will cause NULL pointer dereference. > > During headset disconnection, the headset state changes from > HEADSET_STATE_CONNECTED to HEADSET_STATE_DISCONNECTED along with > freeing the dev->headset. During the response, in telephony_generic_rsp > its dereferencing. > > Log: > bluetoothd[5573]: audio/headset.c:handle_event() Received AT+BLDN > bluetoothd[5573]: audio/telephony.c:telephony_last_dialed_number_req() > telephony-tizen: last dialed number request > bluetoothd[5573]: audio/telephony.c:dbus_method_call_send() + > bluetoothd[5573]: audio/telephony.c:dbus_method_call_send() - > bluetoothd[5573]: Endpoint replied with an error: org.freedesktop.DBus\ > .Error.NoReply > bluetoothd[5573]: audio/telephony.c:telephony_device_disconnected() > telephony-tizen: device 0x40439b60 disconnected > bluetoothd[5573]: audio/headset.c:headset_set_state() State changed > /org/bluez/5573/hci0/dev_BC_47_60_F5_88_89: > HEADSET_STATE_CONNECTED -> HEADSET_STATE_DISCONNECTED > bluetoothd[5573]: audio/media.c:headset_state_changed() > bluetoothd[5573]: audio/media.c:headset_state_changed() Clear endpoint > 0x40430620 > bluetoothd[5573]: audio/telephony.c:telephony_dial_number_reply() > redial_reply > bluetoothd[5573]: audio/telephony.c:telephony_dial_number_reply() > dial_reply reply: No Call log > --- > audio/headset.c | 3 +++ > 1 files changed, 3 insertions(+), 0 deletions(-) > > diff --git a/audio/headset.c b/audio/headset.c > index bd83a65..30d24cf 100644 > --- a/audio/headset.c > +++ b/audio/headset.c > @@ -689,6 +689,9 @@ static int telephony_generic_rsp(struct audio_device *device, cme_error_t err) > struct headset *hs = device->headset; > struct headset_slc *slc = hs->slc; > > + if (!slc) > + return -EIO; > + > if ((err != CME_ERROR_NONE) && slc->cme_enabled) > return headset_send(hs, "\r\n+CME ERROR: %d\r\n", err); > ping. Thanks, Syam ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH BlueZ 1/2] audio: Fix headset NULL pointer dereference during AT+BLDN response 2012-11-09 3:32 ` [PATCH BlueZ 1/2] audio: Fix headset NULL pointer dereference during AT+BLDN response Syam Sidhardhan @ 2012-11-13 15:40 ` Johan Hedberg 2012-11-13 16:27 ` Syam Sidhardhan 0 siblings, 1 reply; 6+ messages in thread From: Johan Hedberg @ 2012-11-13 15:40 UTC (permalink / raw) To: Syam Sidhardhan; +Cc: Syam Sidhardhan, linux-bluetooth Hi Syam, On Fri, Nov 09, 2012, Syam Sidhardhan wrote: > On Tue, Oct 23, 2012 at 7:27 PM, Syam Sidhardhan <s.syam@samsung.com> wrote: > > While waiting for the AT+BLDN asynchronous response, if RFCOMM got > > disconnected, then respose will cause NULL pointer dereference. > > > > During headset disconnection, the headset state changes from > > HEADSET_STATE_CONNECTED to HEADSET_STATE_DISCONNECTED along with > > freeing the dev->headset. During the response, in telephony_generic_rsp > > its dereferencing. > > > > Log: > > bluetoothd[5573]: audio/headset.c:handle_event() Received AT+BLDN > > bluetoothd[5573]: audio/telephony.c:telephony_last_dialed_number_req() > > telephony-tizen: last dialed number request > > bluetoothd[5573]: audio/telephony.c:dbus_method_call_send() + > > bluetoothd[5573]: audio/telephony.c:dbus_method_call_send() - > > bluetoothd[5573]: Endpoint replied with an error: org.freedesktop.DBus\ > > .Error.NoReply > > bluetoothd[5573]: audio/telephony.c:telephony_device_disconnected() > > telephony-tizen: device 0x40439b60 disconnected > > bluetoothd[5573]: audio/headset.c:headset_set_state() State changed > > /org/bluez/5573/hci0/dev_BC_47_60_F5_88_89: > > HEADSET_STATE_CONNECTED -> HEADSET_STATE_DISCONNECTED > > bluetoothd[5573]: audio/media.c:headset_state_changed() > > bluetoothd[5573]: audio/media.c:headset_state_changed() Clear endpoint > > 0x40430620 > > bluetoothd[5573]: audio/telephony.c:telephony_dial_number_reply() > > redial_reply > > bluetoothd[5573]: audio/telephony.c:telephony_dial_number_reply() > > dial_reply reply: No Call log > > --- > > audio/headset.c | 3 +++ > > 1 files changed, 3 insertions(+), 0 deletions(-) > > > > diff --git a/audio/headset.c b/audio/headset.c > > index bd83a65..30d24cf 100644 > > --- a/audio/headset.c > > +++ b/audio/headset.c > > @@ -689,6 +689,9 @@ static int telephony_generic_rsp(struct audio_device *device, cme_error_t err) > > struct headset *hs = device->headset; > > struct headset_slc *slc = hs->slc; > > > > + if (!slc) > > + return -EIO; > > + > > if ((err != CME_ERROR_NONE) && slc->cme_enabled) > > return headset_send(hs, "\r\n+CME ERROR: %d\r\n", err); > > > > ping. This file doesn't exist in bluez.git anymore. Johan ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: [PATCH BlueZ 1/2] audio: Fix headset NULL pointer dereference during AT+BLDN response 2012-11-13 15:40 ` Johan Hedberg @ 2012-11-13 16:27 ` Syam Sidhardhan 0 siblings, 0 replies; 6+ messages in thread From: Syam Sidhardhan @ 2012-11-13 16:27 UTC (permalink / raw) To: Syam Sidhardhan, Syam Sidhardhan, linux-bluetooth Hi Johan, On Tue, Nov 13, 2012 at 9:10 PM, Johan Hedberg <johan.hedberg@gmail.com> wrote: > Hi Syam, > > On Fri, Nov 09, 2012, Syam Sidhardhan wrote: >> On Tue, Oct 23, 2012 at 7:27 PM, Syam Sidhardhan <s.syam@samsung.com> wrote: >> > While waiting for the AT+BLDN asynchronous response, if RFCOMM got >> > disconnected, then respose will cause NULL pointer dereference. >> > >> > During headset disconnection, the headset state changes from >> > HEADSET_STATE_CONNECTED to HEADSET_STATE_DISCONNECTED along with >> > freeing the dev->headset. During the response, in telephony_generic_rsp >> > its dereferencing. >> > >> > Log: >> > bluetoothd[5573]: audio/headset.c:handle_event() Received AT+BLDN >> > bluetoothd[5573]: audio/telephony.c:telephony_last_dialed_number_req() >> > telephony-tizen: last dialed number request >> > bluetoothd[5573]: audio/telephony.c:dbus_method_call_send() + >> > bluetoothd[5573]: audio/telephony.c:dbus_method_call_send() - >> > bluetoothd[5573]: Endpoint replied with an error: org.freedesktop.DBus\ >> > .Error.NoReply >> > bluetoothd[5573]: audio/telephony.c:telephony_device_disconnected() >> > telephony-tizen: device 0x40439b60 disconnected >> > bluetoothd[5573]: audio/headset.c:headset_set_state() State changed >> > /org/bluez/5573/hci0/dev_BC_47_60_F5_88_89: >> > HEADSET_STATE_CONNECTED -> HEADSET_STATE_DISCONNECTED >> > bluetoothd[5573]: audio/media.c:headset_state_changed() >> > bluetoothd[5573]: audio/media.c:headset_state_changed() Clear endpoint >> > 0x40430620 >> > bluetoothd[5573]: audio/telephony.c:telephony_dial_number_reply() >> > redial_reply >> > bluetoothd[5573]: audio/telephony.c:telephony_dial_number_reply() >> > dial_reply reply: No Call log >> > --- >> > audio/headset.c | 3 +++ >> > 1 files changed, 3 insertions(+), 0 deletions(-) >> > >> > diff --git a/audio/headset.c b/audio/headset.c >> > index bd83a65..30d24cf 100644 >> > --- a/audio/headset.c >> > +++ b/audio/headset.c >> > @@ -689,6 +689,9 @@ static int telephony_generic_rsp(struct audio_device *device, cme_error_t err) >> > struct headset *hs = device->headset; >> > struct headset_slc *slc = hs->slc; >> > >> > + if (!slc) >> > + return -EIO; >> > + >> > if ((err != CME_ERROR_NONE) && slc->cme_enabled) >> > return headset_send(hs, "\r\n+CME ERROR: %d\r\n", err); >> > >> >> ping. > > This file doesn't exist in bluez.git anymore. > Yes, I noticed Luiz patch which removes the headset.c and other stuff. Thank you. Regards, Syam. ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2012-11-16 8:07 UTC | newest] Thread overview: 6+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2012-10-23 13:57 [PATCH BlueZ 1/2] audio: Fix headset NULL pointer dereference during AT+BLDN response Syam Sidhardhan 2012-10-23 13:57 ` [PATCH BlueZ 2/2] gdbus: Replace leading spaces with tabs Syam Sidhardhan 2012-11-16 8:07 ` Johan Hedberg 2012-11-09 3:32 ` [PATCH BlueZ 1/2] audio: Fix headset NULL pointer dereference during AT+BLDN response Syam Sidhardhan 2012-11-13 15:40 ` Johan Hedberg 2012-11-13 16:27 ` Syam Sidhardhan
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for NNTP newsgroup(s).